Are Phishing Emails still a problem?.

There is so much technology and software available these days, preventing malware and malicious emails from getting into our systems that you have to ask are phishing emails still a problem?

One of the most used communication technologies is still email due to its versatility and ease of use. However, because of this we now seem to receive a swarm of emails every day from people and companies that we have never met and sometimes it’s hard to distinguish which are real and which are fake. This all gets a bit much at times, so we implement email filtering to try get rid of all the ‘junk’ emails which are just trying to catch you out. Some email products even try and do this automatically by detecting what it thinks are useless (spam/junk) emails and storing them in a separate folder. Emails can also be a source of malicious code that could infect our data or even encrypt it and ask for a ransom in return for a decryption key.

Mass phishing – This is the most common type of attack whereby an email is sent out to an indiscriminate list of people including companies, employees and consumers. These attacks generally have generic hooks that try to get you to login to or pay for something using PayPal or your bank. They sometimes contain links which download malicious code adding your device to botnet, exploiting a browser vulnerability to steal your data or making it a zombie for future purposes.

Spearphishing – This is a much more targeted attack aimed at individuals in a specific organisation. These aim to exploit peoples trusting and helpful nature by pretending it is an email from someone in the organisation like the CEOs personal email, or having a domain that’s almost the same as the organisation and asking someone to review of document which has malicious code embedded within it. These attacks generally aim to either steal large amounts of personal data and sell it on or hold it to ransom.

Whaling – This is the most sophisticated, tailored and targeted form of phishing. Whaling is aimed at senior level executives or other high-profile individuals with aim of compromising their machine. Open source information will be gained on the target using a variety of sources such as social media to gain an understanding of the targets hobbies and interests. This information will then be used to craft the targeted email with aim of triggering an emotion causing the target to click the link.

So why are phishing emails still the biggest reason for a Cyber breach to companies and our personal lives? Well the answer is simple, people. People are still and probably will always be the biggest vulnerability to any company. Sadly, it’s not really the user’s fault either, hackers prey upon human emotions by appealing to anxiety, curiosity, greed and trust.

Some may say why don’t we put more restrictions on email traffic and limiting the user’s interaction with emails. However, there is a point at which security can impact usability and you must draw the line somewhere.

Which leaves one option really, and it’s not more expensive technology and software, its going back to the basics and giving regular training. But how do you provide effective training against phishing attacks? You need to start by gaining a baseline of your staff awareness of phishing emails. This is mainly so that you can see if people are improving. Some may be thinking how they can get this baseline, but the answer is staring straight at them. Phish your own company. By running a phishing campaign against your own company, you are not only testing them, you are giving them practice with safe emails. Once you have this baseline a company can then run training sessions teaching them what to look out for, then run another campaign a few months later to see if there has been an improvement.

The training doesn’t need to be hugely extensive either, it just needs to cover the basics of how to identify phishing emails and who they need to report any phishing emails to. Here are some top tips for spotting phishing emails:

Does email contain links
If the email contain links, they may say they are taking you to one website but take you to a malicious website. So before clicking any links hover your mouse cursor over the link and it will either show you the website its taking you to above the link or at the bottom of your screen.
You test this below where I have made the link look like it is taking you to the NCSC website but actually takes you to the Aristi website.https://www.ncsc.gov.uk

Check the email/URLs domain name (domainname.com)
Attackers will try to rely on people not knowing how DNS naming structure works. So, they will try to use trusted names at the start of their domain names like Microsoft, Apple, or anything. So, make sure you are looking out for anything that looks even slight malicious like Microsoft.evildomain.com or john.smith@microsoft.evildomain.com.

Spelling and Grammar
Important emails from other companies generally get reviewed for spelling and grammar so the likelihood of mistakes is low. So, if you receive an email with spelling mistakes or poor grammar maybe check for any other hints that may suggest it is malicious.

The message is asking for personal information
If the email is asking for personal information, no matter who it is from you should regard it has a phishing email because you don’t know who has access to that email or if they have been hacked. If you are uncertain or it is from someone you know and trust, contact them directly with a phone call to confirm it was them and why they need it.

The offer seems too good to be true
There is an old saying that if something is too good to be true, it probably is. That is especially true for emails.

You didn’t initiate the action
If the email is saying you’ve won a contest or that you didn’t enter, you can bet that it is a scam. Don’t get caught like a deer in the headlights of winning the lottery they entered.

You are asked to send money
Eventually the attacker will try asking for money at this point you know you are being phished and should stop all interaction and report it. Unless you are expecting an invoice, or any other such payment requests don’t open it or send money. If you are unsure then call them or see if someone else in the office is expecting it.

The message makes unrealistic threats
Occasionally the attackers will try to scare you into making impulse reactions by threatening that something bad is going to happen if you don’t do something straight away. For example, is a Bank emailed you saying something is wrong and your account is going to be frozen and all your assets seized if you don’t respond with ID etc…

The message appears to be from a government agency
Quite often attackers will pretend to be government agencies requesting information or getting you to visit a website etc… and because we are all law-abiding citizens we do as it says. Always be slightly more cautious of emails received from government agencies that aren’t purely informational

Something just doesn’t look right
Instincts are truly amazing and quite often correct so if you follow the JDLR (Just doesn’t look right) principle you are likely to pick up most phishing emails.

If you would like some help with your phishing campaign or training your staff, contact us or call us on 0121 2225630.

Thomas Dold CCP SIRA is a Cyber Security Consultant at Aristi. Tom has over 4 years’ experience in information assurance and risk management. Having worked in for a range of clients from private sector to defence, he is experienced in protecting sensitive information through formal Risk Assessment and providing Information Assurance advice.

Share the post “500 million customers can’t sleep easy with Marriott data breach” FacebookGoogle+LinkedInTwitter The world’s largest hotel chain, Marriott Hotels, announced on Friday (November 30, 2018) that half a billion of its customers’ data had been breached dating as far back as 2014. Marriott owns more than 5,800 properties around the world with 1.1 […]

Share the post “Virtual Data Protection Officer” FacebookGoogle+LinkedInTwitter The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. To support your on going GDPR compliance and management requirements, we can provide a Virtual Data Protection […]